The DDoS spam bot from hell (a suburb of China)

I'm back online to put out a fire. My inbox was full of alerts that the CPU on the server that runs the site was maxing out.

Well boys and girls, it turns out www.turnkeylinux.org has been under an escalating distributed denial of service attack that started about two weeks ago. To the best of my knowledge the site continued operating normally. We use a ton of caching. Did any of you notice a slowdown?

Lucky for us the "attack" was braindead simple so it was easy to figure out what was happening and block the offending IPs. 32 nodes from 4 Chinese /16 network blocks which I sincerely hope aren't home to any TurnKey fans:

Supposedly identifies as Firefox but from the logs it's transparent it isn't behaving like a real browser. For example, a real browser gets CSS and image files. This just crawls all over the site and POSTs a zillion times the kind of predictable crap our spam filter blocks half-asleep.

What does that sound like? Ah yes, a poorly programmed, incredibly persistent spam bot network from hell. None of the spam attempts went through our countermeasures but it still took up a ton of CPU time.

Being naturally inquisitive I investigated the offending IPs and it turns out most of them are running a remotely exploitable version of SSH (SSH-2.0-OpenSSH_4.3). I'm half tempted to run metasploit to get into these systems and clean away the spambot software as a public service but that's illegal and I'm a bit busy besides.

Wouldn't it be neat though if we had a net equivalent of the Justice League to deal with the kind of lowlife scum who commandeer hapless machines to run very low quality spam software?

Note that I tried doing the right thing and looked up the abuse contact for the network that was attacking us (and presumably thousands/millions of other sites) on WHOIS:

Then instead of sending off an angry e-mail into the void I actually picked up the phone, dialed the number, and listened to some funky Chinese elevator music until some guy (Mr. Jinneng Wang I presume?) who didn't speak English picked up and eventually hung up on me after an akward mutually incomprehensible exchange. Of course. How could it be any different?

I don't get it, what's the point of putting up an abuse contact in the WHOIS records if the person listed doesn't speak English? Just list the abuse contact in Mandarin and get it over with.

Sometimes I feel like a character in a Neal Stephenson novel.

Comments

My webserver gets battered regularly by brute force idiots and automated attacks. Fail2ban is a nice way to wave the banstick automatically.

I did chase up the first few attacks (a German IP) but after running into constant dead-ends like 'recipient not found' bounced mail from abuse addresses, you run out of motivation to try to clean up the web.

Thanks for the fail2ban reference. I think I came across it a while back but I had totally forgotten about it since. Looks generic enough to be tweaked to deal with pretty much any circumstance. I'll set threshold and auto-ban IP addresses that hammer us too hard. Thanks and happy new year!

A couple of years ago, when I had more free time, I actually looked up the network manager of the IPs used to send me spam email and sent them an email asking them to shut down the activity. I actually got more cooperative answers than I had expected. Even in english from Korea.

I haven't receive spam or anything like that, yet. However I have received a notification of someone from there that had attempted to hijack my account. Less than 36 hours ago my password was changed and I had to reset it. Another thing is that his IP wasn't the ones listed above (unless I'm mistaken) but his IP is 114.97.82.0 but all the other info IE:Name, Email, and phon num. now however my text has sem't to go bolded so now imma stop

So, I will be honest. I didn't understand much of the article... I only ended up here because this Jinneng Wang tried to hack my email account. The Ip adress that was listed isnt the same as those in the article... But, I have changed my password and set up a security code through my phone...should I be worried about this? Is there something specific I should be doing to protect myself? I am very sorry for my ignorance when it comes to this topic. Any reply about what I should or shouldnt do to protect myself would be greatly appriciated.

Simply change your password to something secure, and if he manages to get into your account again, you could contact customer service from your provider and see if they could blacklist all the IP addresses he tried to access your account from.

This guy has been persistently battering my web-application for months. He automated signing up, and had generated a few hundred accounts before I figured out what was going on. Turns out he's really easy to identify: he picks a randomly generated hotmail email address (usually), a reasonable sounding username, and as a password he uses the following: the first 7 characters of the md5 hash of his username, with one letter capitalized and optionally adds an exclamation mark at the end.

So, we deleted all of his accounts, and changed the registration flow to claim success but silently fail on that combination (because seriously, screw that guy). Eventually the registration requests died down, but every two or three minutes my server gets hit by two login requests for what seems to be a randomly selected one of his non-existent accounts. For months. Around the clock.

One rather interesting thing though: In all the months that this has been happening, I got a single, solitary request following the same username/password pattern with a randomly-generated hotmail email address, but from an IP in Kansas City. Could be that's our "real" guy. I'm not sure how I'd follow up with this though.

Ok, so we also share a mutual friend. I also noticed the Kansas IP in my logs months ago. I traced it to an abandoned barn, by fields and country roads. I forget the city it was in now, but I doubt that is the real address. Most likely it's a proxy, or he/she is using a mobile device, piggy backing off of open wifi, or using air-crack to get into someones wifi. I doubt he/she would leave crums right to his/her door. He/She may even be using our machines as zombies/botnets to attack other webservers. You know, the old use someone elses machine remotely to attack, until the machine owner realizes what is happening, or the feds/interpool come kicking in the machine owners door for cyber crimes. If the Kansas hacker, and the China cracker are the same person, then I believe they are doing their attacks from botnetted machines. My Antivirus didn't Alert me, and my Firewall didn't stop him/her from gaining access to my pc. The only reason I found the Kansas hacker, was because I had just installed zAnti on my tablet with lots of credits. I started pen testing and noticed someone "unknown" establishing a connection on 2 of my private ports, so I decided to to say hi xD. (Yes, my tablet is unlocked and rooted, it has smb explorer pro, ssh/telnet/linux shell (Terminal,cmd), etc, IP Scanner, NetTools, router pwn, zAnti platinum pack(like a portable version of backtrack), hackers keyboard, FaceNiff paid version, etc)... I join the open session, and send a hi messege. As soon as I did the attacker disconnected. I got the ip and the Kansas barn is where it lead me too.

The only new thing I downloaded that could have exploited me, was a browser add on, I forget which one it was now, and a few different injectors I downloaded for a project. The site I got them from did have an issue with a few packed metasploits getting by staff, so this could be how I was attacked. I did a full format afterwords, went to my friends updated it, took it online, got it good again, then took it home. I havent noticed the Kansas hacker since.

Also, around this time, I had someone from China, try to access my email. So I Reverse lookup the ip, and name/owner etc.

lol trying to feel all special about himself thinking he's doing something so complicated and technical just doing a simple ip block, what a load of fucking idiots, typical linux users these days i swear rofl as if anyone actually uses this site.

wow it's been ongoing for years. crazy. anyway, this morning and over the last few days I've observed the brute force attack against one of my servers. here's the updated whois data that lead me to this post, this is our suspect or known associate:

This fine specimen of whale feces we know as Jinneng Wang is still up to his old tricks, in my case, trying to use one of my web contact forms to spam.

As a small aside, I've set the form to ask for first name and last name in separate and to compare the two. If both are the same, as 100% of bots thus far appear to do, the form gets bumped and I get a warning that somebody misused the form.

The ip addresses that try to spam the form are so wide ranging that rather than ban individual IPs I've now opted to just ban address blocks.

When you WHOIS the ip and find the owner, take note of the owner's address block and then enter it into your htaccess file using CIDR notation. Voila, whole IP range snagged.

Order Allow,Deny
Allow from All
Deny from 27.153.128.0/17
Deny from 117.64.0.0/13
Deny from 120.37.255.0/24
Deny from 140.237.0.0/17
Deny from 163data.com.cn
Deny from 183.160.0.0/13
Deny from 223.240.0.0/13

If you're unsure how to translate an address block such as "117.64.0.0 - 117.71.255.255", you will find the following web page very handy.